b'             September 9, 2002\n\n             MEMORANDUM\n\n             FOR:             M/AS, Roberto J. Miranda\n\n             FROM:            IG/A/ITSA, Melinda G. Dempsey /s/\n\n             SUBJECT:         Risk Assessment of Major Functions Within the Office of the\n                              Director of the Office of Administrative Services, Bureau for\n                              Management\n                              (Report No. A-000-02-001-S)\n\n             This memorandum is our report on the subject risk assessment. Although\n             this is not an audit report, this report contains suggestions for your\n             consideration. We have reviewed your comments, and they are included as\n             Appendix II. I appreciate the cooperation and courtesy extended to my staff\n             during the risk assessment.\n\n\nBackground   The Office of Administrative Services, Bureau for Management, (M/AS)\n             provides logistical support services and administrative services worldwide\n             and is responsible for functions costing approximately $40 million annually.\n             It is comprised of the Office of the Director and four divisions:\n\n             \xe2\x80\xa2   Consolidation, Property and Services Division,1\n             \xe2\x80\xa2   Information and Records Division,2\n             \xe2\x80\xa2   Overseas Management Support Division,3 and\n             \xe2\x80\xa2   Travel and Transportation Division.4\n\n             During the past decade, the Office of Inspector General has performed few\n             audits of the Office of Administrative Services\xe2\x80\x99 functions. In addition, the\n\n             1\n               See risk assessment Report No. A-000-02-002-S.\n             2\n               See risk assessment Report No. A-000-02-003-S.\n             3\n               See risk assessment Report No. A-000-02-004-S.\n             4\n               See risk assessment Report No. A-000-02-005-S.\n\n\n\n                                                                                     Page 1 of 8\n\x0cOffice of Administrative Services has received limited external reviews and\nevaluations from other sources. Given the lack of external independent\nreviews, including audits, we performed risk assessments of the major\nfunctions of the Office of the Director of the Office of Administrative\nServices.\n\nThe General Accounting Office\xe2\x80\x99s \xe2\x80\x9cStandards for Internal Control in the\nFederal Government\xe2\x80\x9d (November 1999) note that internal controls should\nprovide reasonable assurance that agency objectives are being achieved,\noperations are effective and efficient, and assets are safeguarded against loss.\nInternal controls consist of the following five interrelated components.\nThese components are the minimum level for internal control and provide\nthe basis against which internal control is to be evaluated.\n\n1. Management and employees should establish and maintain a control\n   environment throughout the agency that sets a positive and supportive\n   attitude toward internal control and conscientious management.\n2. Internal control should provide for a risk assessment of the risks the\n   agency faces from both external and internal sources.\n3. Internal control activities should be effective and efficient in\n   accomplishing the agency\xe2\x80\x99s control objectives and help ensure that\n   management\xe2\x80\x99s directives are carried out.\n4. Information should be recorded and communicated to management and\n   others within the agency who need it and in a form and within a time\n   frame that enables them to carry out their internal control and other\n   responsibilities.\n5. Internal control monitoring should assess the quality of performance over\n   time and ensure that the findings of audits and other reviews are\n   promptly resolved.\n\nThis review focused on the second component\xe2\x80\x94risk assessment. The GAO\nStandards note that the specific risk analysis methodology used can vary\nbecause of differences in agencies\xe2\x80\x99 missions and the difficulty in\nqualitatively and quantitatively assigning risk levels. This review assigned a\nrisk exposure of high, moderate, or low for each major function. A higher\nrisk exposure simply indicates that the particular function is more vulnerable\nto its program objectives not being achieved or irregularities occurring.\nAppendix I describes in detail our risk assessment scope and methodology.\n\n\n\n\n                                                                          Page 2 of 8\n\x0cDiscussion   The Office of the Director of the Office of Administrative Services, Bureau\n             for Management, (M/AS) is responsible for the following three major\n             functions.5 Our assessments of the risk exposure for each of these major\n             functions are described below.\n\n                            Function Description                        Risk Exposure\n                 Parking\xe2\x80\x94Management of the parking\n                 program for the Ronald Reagan Building                      High\n                                         Risk Assessment Factors\n                 \xe2\x80\xa2 Fiscal year 2001 USAID cost for parking was $667,000 for 324\n                    parking spaces within the Ronald Reagan Building\xe2\x80\x94over $2,000 on\n                    average for each parking space. This does not include an additional\n                    $780 charged to carpool permit holders.\n                 \xe2\x80\xa2 The management of parking directly affects the allocation of an\n                    employee benefit and, thereby, the perception of evenhandedness.\n                 \xe2\x80\xa2 Approximately 20 percent of one staff member\xe2\x80\x99s time is used to\n                    manage the allocation of Ronald Reagan Building parking spaces.\n                 \xe2\x80\xa2 According to draft policy, the allocation of parking spaces is roughly\n                    allocated into the following categories: general carpools (45%),\n                    individual bureau allocations (42%), disabled employees (7%),\n                    executives (3%), and official vehicles (3%).\n                 \xe2\x80\xa2 Clear ranking factors are published to evaluate general carpool\n                    applications.\n                 \xe2\x80\xa2 Bureaus allocate their own parking spaces.\n                 \xe2\x80\xa2 Documented internal control procedures for managing the parking\n                    program are out-of-date, from 1997.\n                 \xe2\x80\xa2 The current Automated Directives System (ADS) 514, \xe2\x80\x9cParking\n                    Program Administration\xe2\x80\x9d, is out-of-date, but is in the process of\n                    being finalized. The ADS chapter was last certified as current in\n                    January 1997. It is based on parking at the Department of State,\n                    rather than USAID\xe2\x80\x99s current occupancy at the Ronald Reagan\n                    Building.\n\n\n\n\n             5\n              Our risk assessments only covered major functions. In addition to major functions\n             described in this report, the Office of the Director also is responsible for overall\n             management, oversight, and coordination.\n\n\n\n\n                                                                                               Page 3 of 8\n\x0c            Function Description                        Risk Exposure\nICASS\xe2\x80\x94Participation in the policy functions\nof the Interagency Working Group for\nInternational Cooperative Administrative\nSupport Services (ICASS)                                      Low\n                         Risk Assessment Factors\n\xe2\x80\xa2 ICASS is a cost distribution system to ensure that federal agencies\n    reimburse one another for costs of common service functions\n    primarily in overseas locations.\n\xe2\x80\xa2 USAID\xe2\x80\x99s fiscal year 2001 ICASS costs were $33 million, which was\n    4 percent of the total of $738 million charged to all federal agencies.\n    However, Division staff do not control ICASS dollar allocations.\n\xe2\x80\xa2 One staff member with approximately 15 years experience\n    represents USAID on the Interagency Working Group for ICASS.\n\xe2\x80\xa2 Two staff members represent USAID on Interagency Working\n    Group committees for (1) budget, personnel, and awards and (2)\n    handbook, training, studies, and information technology.\n\n           Function Description                        Risk Exposure\nRental payments review\xe2\x80\x94Review of rental\npayments for the Ronald Reagan Building\nand other USAID-occupied facilities                         High\n                        Risk Assessment Factors\n\xe2\x80\xa2 Rental payments for seven different facilities from four different\n   government agencies account for fiscal year 2001 costs of $31.4\n   million. The $31.4 million in rental payments is approximately 80\n   percent of the $40 million budget for the Office of Administrative\n   Services. Rent for the Ronald Reagan Building alone accounts for\n   $30.7 million in payments to the General Services Administration.\n\xe2\x80\xa2 One staff member has been responsible for ensuring the accuracy of\n   USAID rental payments. Bills from the General Services\n   Administration and other government agencies at times contain\n   errors that have to be reconciled. The staff person has effectively\n   identified numerous instances of inaccurate billings resulting in\n   substantial savings to USAID over the last five years.\n\xe2\x80\xa2 No contingency arrangement is in place for performing this function\n   in the event of an extended absence of this staff member.\n\xe2\x80\xa2 Staff member did not receive formal training for the position.\n\xe2\x80\xa2 Training for the function is not standardized.\n\xe2\x80\xa2 Internal control procedures for performing the function are not\n   documented.\n\xe2\x80\xa2 Position description does not describe functional responsibilities.\n\n\n\n\n                                                                     Page 4 of 8\n\x0cConclusion   Our risk assessments of the Office of the Director of the Office of\n             Administrative Services, Bureau for Management, (M/AS) covered three\n             functions and reached the following conclusions.\n\n                                                                  Risk Exposure\n                         Function Description                 High    Moderate          Low\n                 Parking\xe2\x80\x94Management of the parking\n                 program for the Ronald Reagan Building        !\n                 ICASS\xe2\x80\x94Participation in the policy\n                 functions of the Interagency Working\n                 Group for International Cooperative                                    !\n                 Administrative Support Services (ICASS)\n                 Rental payments review\xe2\x80\x94Review of rental\n                 payments for the Ronald Regan Building\n                 and other USAID-occupied facilities\n                                                               !\n             Based on these risk assessments, we suggest that the Office of Administrative\n             Services focus its efforts to mitigate the higher risk associated with the\n             functions of (1) management of the parking program and (2) review of rental\n             payments for the Ronald Regan Building and other USAID-occupied\n             facilities. Specifically for the parking program, we suggest that the Office:\n\n             \xe2\x80\xa2    update the documented internal control procedures for managing the\n                  parking program and the ADS chapter 514, \xe2\x80\x9cParking Program\n                  Administration\xe2\x80\x9d.\n\n             Specifically, for the review of rental payments, we suggest that the Office:\n\n             \xe2\x80\xa2    develop written internal control procedures,\n             \xe2\x80\xa2    update the position description to reflect responsibilities,\n             \xe2\x80\xa2    standardize training requirements, and\n             \xe2\x80\xa2    establish a contingency arrangement for performing this function in the\n                  event of an extended absence of the staff member.\n\n             The Office of Administrative Services management agreed with our risk\n             assessments and our suggested courses of action. The Office of\n             Administrative Services noted in their comments on the draft report (see\n             Appendix II) that these assessments of vulnerabilities were an opportune\n             first step for the business transformation urged by the new Assistant\n             Administrator for the Management Bureau.\n\n\n\n\n                                                                                   Page 5 of 8\n\x0c                                                                                       Appendix I\n\n\nScope and     Scope\nMethodology\n              The Office of Inspector General, Information Technology and Special\n              Audits Division, conducted a risk assessment of major functions within the\n              Office of the Director of the Office of Administrative Services, Bureau for\n              Management (M/AS). This risk assessment was not an audit. The risk\n              assessment covered operations principally for fiscal year 2001. The risk\n              assessment was conducted at the USAID headquarters in Washington, D.C.\n              from October 12, 2001 to February 14, 2002.\n\n              Our risk assessments of the Office of the Director\xe2\x80\x99s major functions have the\n              following limitations in their application.\n\n              \xe2\x80\xa2   First, we assessed risk at the major function level only, not at the\n                  Division or Office level.\n              \xe2\x80\xa2   Second, we assessed risk only. Our risk assessments were not sufficient\n                  to make definitive determinations of the effectiveness of internal controls\n                  for major functions. Consequently, we did not generally (a) assess the\n                  adequacy of internal control design, (b) determine if controls were\n                  properly implemented, and (c) determine if transactions were properly\n                  documented. If we were able to make these types of determinations\n                  within the scope of our work, we reported on them accordingly as part of\n                  our risk exposure assessments.\n              \xe2\x80\xa2   Third, higher risk exposure assessments are not definitive indicators that\n                  program objectives were not being achieved or that irregularities were\n                  occurring. A higher risk exposure simply indicates that the particular\n                  function is more vulnerable to such events.\n              \xe2\x80\xa2   Fourth, risk exposure assessments, in isolation, are not an indicator of\n                  management capability due to the fact that risk assessments consider\n                  both internal and external factors, some being outside the span of control\n                  of management.\n              \xe2\x80\xa2   Fifth, comparison of risk exposure assessments between organizational\n                  units is of limited usefulness due to the fact that risk assessments\n                  consider both internal and external factors, some being outside the span\n                  of control of management.\n\n              Methodology\n\n              We interviewed officials as well as reviewed related documentation of major\n              functions performed by the Office of the Director. These documents covered\n              background, organization, management, budget, relevant laws and\n              regulations, staffing responsibilities, prior reviews, internal controls, and\n              risks (i.e., vulnerabilities). Our review of the Office of the Director\n              documentation was limited and judgmental in nature and conducted\n              principally to confirm oral attestations of management.\n\n\n                                                                                       Page 6 of 8\n\x0cWe identified the Office of the Director\xe2\x80\x99s major functions using the input of\nthe Division Director and based on the significance and sensitivity of each\nmajor function. We determined risk exposure for all major functions in each\ndivision, e.g., the likelihood of significant abuse, illegal acts, and/or misuse of\nresources, failure to achieve program objectives, and noncompliance with\nlaws, regulations and management policies. We assessed overall risk as high,\nmoderate, or low. A higher risk exposure simply indicates that the particular\nfunction is more vulnerable to its program objectives not being achieved or\nthat irregularities were occurring. We considered the following key steps in\nassessing risk:\n\n(a)    determined significance and sensitivity;\n(b)    evaluated susceptibility of failure to attain program goals,\n       noncompliance with laws and regulations, inaccurate reporting, or\n       illegal or inappropriate use of assets or resources;\n(c)    were alert to "red" flags such as a history of improper administration\n       or material weaknesses identified in prior audits/internal control\n       assessments, poorly defined and documented internal control\n       procedures, or high rate of personnel turnover;\n(d)    considered management support and the control environment;\n(e)    considered competence and adequacy of number of personnel;\n(f)    identified and understand relevant internal controls, and\n(g)    determined what is already known about internal control effectiveness.\n\nThese risk assessments were not sufficient to make definitive determinations\nof the effectiveness of internal controls for major functions. As part of the\nreview methodology, we did (a) identify, understand, and document (only as\nnecessary) relevant internal controls and (b) determine what was already\nknown about the effectiveness of internal controls. However, we did not\ngenerally (a) assess the adequacy of internal control design, (b) determine if\ncontrols were properly implemented, nor (c) determine if transactions were\nproperly documented. In some cases, we were able to make these assessments\nand reported on them accordingly as part our risk exposure assessments.\n\n\n\n\n                                                                         Page 7 of 8\n\x0c                                                                    Appendix II\n\nManagement\nComments\n                                                   March 19, 2002\n\n\n\n             MEMORANDUM\n\n             TO:          Melinda Dempsey, IG/A/ITSA\n\n             FROM:        Roberto J. Miranda, M/AS/OD\n\n             SUBJECT:   Risk Assessment of Major Functions Within the\n                        Office of the Director of the Office of\n                        Administrative Services\n                        (Report No. A-000-02-xxx-S)\n\n\n                  M/AS/OD worked closely with the Inspector General\'s\n             office on this survey believing that this assessment of\n             vulnerabilities was an opportune first step on the way to\n             the business transformation urged by the new Assistant\n             Administrator for the Management Bureau. We concur in\n             the assessment of risk and recommendations.\n\n                  Parking: The ADS 514 Chapter, \xe2\x80\x9cParking Program\n             Administration\xe2\x80\x9d is being updated. It is expected that it\n             will go out for final clearance before the end of April.\n\n                  Rental Payments: M/AS/OD will develop written\n             internal control procedures, update the PD to reflect\n             responsibilities, and establish a contingency arrangement\n             for performing this function in the event of an extended\n             absence of the staff member.\n\n                  In closing, M/AS/OD appreciates the professional\n             assistance, courtesy and help of the IG staff,\n             particularly as we work to implement your\n             recommendations.\n\n\n\n\n                                                                    Page 8 of 8\n\x0c'